I’m offering my help where needed!

Hi there David,

I’m looking forward for this tool. It looks quite promising… any forecast on when it’s going to be released?

Regards,

Pedro.

Daniel, we need to get you on the BlogSec group list if your keen?

Pedro, wp-ids (one component) is available on the PHP-IDS site, however, the combined power tool spoken of in this post is estimated in the next couple weeks. Be aware though that we may not support PHP4 as its on its way out. So while people are waiting you may want to look at PHP5 migration!

WPIDS y el WordPress Hardening Project…

WPIDS es un port de PHPIDS a WordPress, si no me equivoco la traducción vendría a ser Sistema de Detección de Intrusiones para WordPress (WordPress Intrusion Detection System) ya que aunque no aclaran el término, IDS se refiere a esto.

Según una …

One Question: why does the WP Developers not add some hardening things like the output text of the wrong Username or Password…
Every changes i made it’s had it even a new update comes… :-(

I’m really looking forward to this plugin and I’m sure folks will appreciate an easy to harden their WordPress environments. Thanks in advance!

[…] Wordpress Hardening Project David Kierznowski of Gnucitizen and Philipp Heinze have been working on a WordPress lock down toold , wp-lockdows, to help make the blogging world a safer place. You can find more on this, and the plugin wp-ids over at the WordPress Blog . […]

I wrote a personal plugin encryptconf wich encrypts the wordpress configuration file. Might want to give it a look: http://www.rezen.org/encryptconf.zip

I’ve been testing Gareth’s WP-Lockdown. Seems to work well for me with most of the bugs now ironed out. I look forward to developments here.

Mutt, great to hear, thanks for your feedback!

[…] The plugin has a list of security conditions (stored in conditions.txt). These rules define what requests are considered bad. I took interest in the plugin to see if we could use it in the WP hardening project. […]

This is a really nice, well-thought-out effort, but not a best-practice…

The BEST way to block all of these files is to only block EXTERNAL requests for them. IOW, if your wp-cache requests a file, it should be allowed. If a visitor on your webpage requests the same file, it should be denied. This seems impossible to accomplish but actually mod_rewrite provides a really cool way…

for example, this blocks all external requests (except those generated by ErrorDocument code /index.php?error=code) for files ending in .php in either the wp-includes or wp-content directory, but it doesn’t block your server or WP install!

RewriteCond %{QUERY_STRING} !error
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(wp-includes|wp-content)/(.+)\.php\ HTTP/
RewriteRule .* - [F]


code from htaccess tutorial

Another way to secure your wordpress with .htaccess is by using my wordpress plugin: htaccess password protect on AskApache.com

[…] so on. In short, its a defense plugin for WordPress that BlogSec members have been working on for a few months now. I would say it was more of an Intruder Prevention System then an Intruder Detection […]